Threat description



This trojan dropper appeared on February 28th, 2005. The dropper was spread in e-mail messages, but we are not sure whether they were seeded e-mails or there was some Bagle variant behind that. At the moment of creation of this description we have not seen any Bagle variant that sends such a dropper in e-mails, however we are seeing 2 new variants that send our similar droppers.


Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

The dropper is a PE executable file 18432 bytes long. The dropped file is a DLL file 15360 bytes long. Neither dropper, nor DLL are packed.

Installation to system

When the dropper's file is run, it copies itself to Windows System directory as WINSHOST.EXE and drops a DLL file named WIWSHOST.EXE there. This DLL file is then injected into Explorer.exe process.

The dropper/injector creates 2 startup keys for its file in Windows Registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]   "winshost.exe" = "%winsysdir%\winshost.exe" [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]  "winshost.exe" = "%winsysdir%\winshost.exe"   

where '%winsysdir%' represents Windows System folder. This is done to run the dropper every time Windows starts.

The downloader and its payload

The WIWSHOST.EXE file is mainly the downloader, but it also affects anti-virus and security software. When it is run, it first of all kills services with the following names:

wuauserv  PAVSRV  PAVFNSVR  PSIMSVC  Pavkre  PavProt  PREVSRV  PavPrSrv  SharedAccess  navapsvc  NPFMntor  Outpost Firewall  SAVScan  SBService  Symantec Core LC  ccEvtMgr  SNDSrvc  ccPwdSvc  ccSetMgr.exe  SPBBCSvc  KLBLMain  avg7alrt  avg7updsvc  vsmon  CAISafe  avpcc  fsbwsys  backweb client - 4476822  backweb client-4476822  fsdfwd  F-Secure Gatekeeper Handler Starter  FSMA  KAVMonitorService  navapsvc  NProtectService  Norton Antivirus Server  VexiraAntivirus  dvpinit  dvpapi  schscnt  BackWeb Client - 7681197  F-Secure Gatekeeper Handler Starter  FSMA  AVPCC  KAVMonitorService  Norman NJeeves  NVCScheduler  nvcoas  Norman ZANDA  PASSRV  SweepNet  SWEEPSRV.SYS  NOD32ControlCenter  NOD32Service  PCCPFW  Tmntsrv  AvxIni  XCOMM  ravmon8  SmcService  BlackICE  PersFW  McAfee Firewall  OutpostFirewall  NWService  alerter  sharedaccess  NISUM  NISSERV  vsmon  nwclnth  nwclntg  nwclnte  nwclntf  nwclntd  nwclntc  wuauserv  navapsvc  Symantec Core LC  SAVScan  kavsvc  DefWatch  Symantec AntiVirus Client  NSCTOP  Symantec Core LC  SAVScan  SAVFMSE  ccEvtMgr  navapsvc  ccSetMgr  VisNetic AntiVirus Plug-in  McShield  AlertManger  McAfeeFramework  AVExch32Service  AVUPDService  McTaskManager  Network Associates Log Service  Outbreak Manager  MCVSRte  mcupdmgr.exe  AvgServ  AvgCore  AvgFsh  awhost32  Ahnlab task Scheduler  MonSvcNT  V3MonNT  V3MonSvc  FSDFWD   

Then the trojan starts a thread that kills keys or values of the following Registry keys:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Symantec NetDriver Monitor  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,ccApp  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,NAV CfgWiz  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,SSC_UserPrompt  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,McAfee Guardian  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,McAfee.InstantUpdate.Monitor  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,APVXDWIN  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,KAV50  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,avg7_cc  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,avg7_emc  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Zone Labs Client  HKLM\SOFTWARE\Symantec  HKLM\SOFTWARE\McAfee  HKLM\SOFTWARE\KasperskyLab  HKLM\SOFTWARE\Agnitum  HKLM\SOFTWARE\Panda Software  HKLM\SOFTWARE\Zone Labs   

After that the worm starts a thread that scans all hard drives and deletes file with the following name:


Additionally this thread renames files belonging to security and anti-virus software. The following files get renamed:

CCSETMGR.EXE  CCEVTMGR.EXE  NAVAPSVC.EXE  NPFMNTOR.EXE  symlcsvc.exe  SPBBCSvc.exe  SNDSrvc.exe  ccApp.exe  ccl30.dll  ccvrtrst.dll  LUALL.EXE  AUPDATE.EXE  Luupdate.exe  LUINSDLL.DLL  RuLaunch.exe  CMGrdian.exe  Mcshield.exe  outpost.exe  Avconsol.exe  Vshwin32.exe  VsStat.exe  Avsynmgr.exe  kavmm.exe  Up2Date.exe  KAV.exe  avgcc.exe  avgemc.exe  zonealarm.exe  zatutor.exe  zlavscan.dll  zlclient.exe  isafe.exe  cafix.exe  vsvault.dll  av.dll  vetredir.dll   

The files mentioned above are renamed with those names:

C1CSETMGR.EXE  CC1EVTMGR.EXE  NAV1APSVC.EXE  NPFM1NTOR.EXE  s1ymlcsvc.exe  SP1BBCSvc.exe  SND1Srvc.exe  ccA1pp.exe  cc1l30.dll  ccv1rtrst.dll  LUAL1L.EXE  AUPD1ATE.EXE  Luup1date.exe  LUI1NSDLL.DLL  RuLa1unch.exe  CM1Grdian.exe  Mcsh1ield.exe  outp1ost.exe  Avc1onsol.exe  Vshw1in32.exe  Vs1Stat.exe  Av1synmgr.exe  kav12mm.exe  Up222Date.exe  K2A2V.exe  avgc3c.exe  avg23emc.exe  zonealarm.exe  zatutor.exe  zlavscan.dll  zo3nealarm.exe  zatu6tor.exe  zl5avscan.dll  zlcli6ent.exe  is5a6fe.exe  c6a5fix.exe  vs6va5ult.dll  a5v.dll  ve6tre5dir.dll   

So all the affected software keeps working until next system restart. After restart all affected software will stop working because its files were renamed by the trojan.

After this the trojan terminates services with the following names:

SharedAccess  wscsvc   

The next step that the trojan does is to create a thread that kills processes with the following names:


Finally the trojan tries to download a file from several webservers. The file is placed to Window directory as '_re_file.exe' and is run. The trojan tries to download from the following hardcoded locations:   

We are monitoring these locations in order to catch malware that the trojan's author is going to put there.


F-Secure Anti-Virus detects this malware starting from the following update:

Detection Type: PC

Database: 2005-02-28_01

Submit a Sample

Suspect a file or URL was wrongly detected?
Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info